Contracted staff policies and procedures

Status: Live

The organization will define and implement policies and procedures for controlling the activities of consultants and other contract personnel. [UCF ID 00778]

Supporting and supported controls

This control directly supports:

Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj F.2; CobiT 4.1, PO4.14; The Standard of Good Practice for Information Security, SM1.3.1, SM1.3.2; ISO 17799:2005 Code of Practice for Information Security Management, § 8.1.3; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.8.1.3; ISO/IEC 27002-2005 Code of practice for information security management, § 8.1.3; Financial Reporting Council, Combined Code on Corporate Governance, June 2008, § B.1.6; Archer Control Table, ATCS-070

Banking and Finance Guidance

[Exam Tier II Obj F.2, FFIEC IT Examination Handbook – Information Security]

ISO Guidance

All employees, contractors, and third parties should sign and agree to the terms of their employment contract, which should state the security responsibilities for both the employee and organization. The contract should state and clarify the following: Personnel are required to sign a confidentiality statement if access to sensitive information is required; the legal rights and responsibilities of personnel; responsibilities for the classification of information; responsibilities for handling personal information; responsibilities outside the office, such as working at home; and actions that will taken if the security requirements are not followed. [§ 8.1.3, ISO 17799:2005 Code of Practice for Information Security Management]

All employees and contractors should sign an employment contract. The contract should state their information security responsibilities. [Annex A.8.1.3, ISO 27001:2005, Information Security Management Systems - Requirements]

All employees, contractors, and third parties should sign and agree to the terms of their employment contract, which should state the security responsibilities for both the employee and organization. The contract should state and clarify the following: Personnel are required to sign a confidentiality statement if access to sensitive information is required; the legal rights and responsibilities of personnel; responsibilities for the classification of information; responsibilities for handling personal information; responsibilities outside the office, such as working at home; and actions that will taken if the security requirements are not followed. [§ 8.1.3, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should define and implement policies and procedures for controlling the activities of consultants and other contract personnel by the IT function to assure the protection of the organization's information assets and meet agreed contractual requirements. [PO4.14, CobiT 4.1]

Information security responsibilities should be incorporated into all employee contracts. [SM1.3.1, SM1.3.2, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

Contract and notice periods should be set to 1 year or less. If a longer period is required for recruiting an outside director, the period should be reduced to 1 year or less after the initial period has passed. [§ B.1.6, Financial Reporting Council, Combined Code on Corporate Governance, June 2008]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of staff who are assigned and acknowledge responsibilities for approved policies, standards, and procedures [UCF Control ID 01680]